b"                                   STATEMENT BY\n\n                              JOHNNIE E. FRAZIER\n                             INSPECTOR GENERAL\n                       U.S. DEPARTMENT OF COMMERCE\n\n                          BEFORE THE\n              COMMITTEE ON GOVERNMENT REFORM\n       SUBCOMMITTEE ON TECHNOLOGY, INFORMATION POLICY,\n         INTERGOVERNMENTAL RELATIONS AND THE CENSUS\n            UNITED STATES HOUSE OF REPRESENTATIVES\n\n                                     JUNE 24, 2003\n\n\nMr. Chairman and members of the subcommittee, I appreciate the opportunity to appear\n\ntoday to provide the Inspector General\xe2\x80\x99s (IG\xe2\x80\x99s) perspective on information technology\n\n(IT) security in the Department of Commerce.\n\n\n\nCommerce\xe2\x80\x99s IT systems and the data they process and store are among the most critical\n\nassets of virtually all the Department\xe2\x80\x99s line offices and operating units. For example,\n\nsatellite, radar, and other weather forecasting data and systems managed by the National\n\nOceanic and Atmospheric Administration (NOAA) are critical to protecting lives and\n\nproperty; export license data compiled by the Bureau of Industry and Security (BIS) is\n\nessential to controlling the export of dual-use commodities to foreign governments and\n\nentities; economic indicator data developed by the Economics and Statistics\n\nAdministration (ESA) has significant policy-making and commercial value and may\n\naffect the movement of commodity and financial markets; and data of the U.S. Patent and\n\nTrademark Office (USPTO) is essential to administering national and international laws\n\nrelating to patents and trademarks, promoting industrial and technical progress in the\n\x0cUnited States, and strengthening the national economy. Clearly, maintaining the security\n\nof Department of Commerce data and systems is of overriding importance to both the\n\nagency and the nation. Loss of or serious damage to any one of the Department\xe2\x80\x99s critical\n\nsystems can have far-reaching, long-term, and possibly devastating impacts.\n\nFurthermore, without effective IT security, the Department\xe2\x80\x99s electronic government\n\ninitiatives cannot be successful.\n\n\n\nState of IT Security at the Department of Commerce\n\nWhen I first testified on IT security two years ago, I had few favorable observations to\n\nshare. The Department was striving to improve IT security and make it an integral\n\ncomponent of Commerce\xe2\x80\x99s business operations. However, our work, augmented at the\n\ntime by GAO\xe2\x80\x99s penetration testing of information systems and networks based in\n\nCommerce headquarters, revealed pervasive IT security weaknesses that placed sensitive\n\nsystems at serious risk. Weaknesses Department-wide prompted us to identify IT\n\nsecurity as a top management challenge. Indeed, Commerce exhibited the six common\n\ngovernment-wide IT security weaknesses identified by the Office of Management and\n\nBudget (OMB) in its FY 2001 report to Congress on government information security\n\nreform:\n\n\n\n   1. Lack of agency senior management attention to IT security.\n\n   2. Poor security education and awareness.\n\n   3. Failure to fully fund and integrate security into its capital planning and investment\n      control process.\n\n   4. Failure to ensure that contractor services are adequately secure.\n\n\n\n                                             2\n\x0c    5. Lack of detecting, reporting, and sharing information on vulnerabilities.\n\n    6. Lack of IT security performance measures.\n\n\n\nOMB\xe2\x80\x99s FY 2002 report to Congress on the state of IT security in the federal government,\n\nwhich was submitted in May, noted that while efforts are still warranted across these six\n\nareas, progress is clearly evident, and the federal government is headed in the right\n\ndirection. I am pleased to report today that Commerce, too, has made progress and is\n\nheaded in the right direction. But the Department must overcome a history of neglect. In\n\nhis April testimony before this subcommittee, the Department\xe2\x80\x99s CIO, Thomas N. Pyke,\n\naptly stated that Commerce has been \xe2\x80\x9ccoming from behind\xe2\x80\x9d as it strives to implement a\n\ncomprehensive IT security program. Although significant strides have been made,\n\nimplementing a comprehensive program to enhance IT security continues to be a top\n\nmanagement challenge. As we advised, the Department reported IT security as a material\n\nweakness in its Accountability Report in both FY 2001 and FY 2002, and we believe it\n\nshould continue to be reported as such until Commerce systems that are part of the\n\nnation\xe2\x80\x99s critical infrastructure (national critical systems), as well as those that are mission\n\ncritical, have been certified and accredited.1\n\n\n\nUSPTO must also address serious IT security issues. As a performance-based\n\norganization, USPTO has been submitting its IT security review separate from that of the\n\nDepartment of Commerce. It is also undertaking actions separate from the Department to\n\n\n1\n  Certification denotes that the system\xe2\x80\x99s security controls have been tested and found to be adequate;\naccreditation signifies that the responsible senior manager has formally authorized its operation and accepts\nany residual risk.\n\n\n\n                                                     3\n\x0cmanage IT security, so we reviewed USPTO\xe2\x80\x99s IT security program separately in FY\n\n2002. Like the rest of the Department, USPTO is making progress in IT security, but it,\n\ntoo, faces significant challenges. At our urging, USPTO, like the Department, reported\n\nIT security as a material weakness in its FY 2002 Accountability Report, and we believe\n\nit should continue to be reported as such until all USPTO\xe2\x80\x99s mission-critical systems are\n\naccredited. (We note that USPTO does not have any IT assets identified as part of the\n\nnation\xe2\x80\x99s critical infrastructure.)\n\n\n\nThe Six Areas of IT Security Weakness Reported by OMB as They Apply to\n\nCommerce\n\nI would like now to address the six areas of weakness reported by OMB as they apply to\n\nCommerce, covering their status before GISRA was enacted, the progress that has been\n\nmade since that time, and the actions Commerce is taking to address its deficiencies. I\n\nwill then discuss how we perform our evaluations and how our objectivity and\n\nindependence bring unique insight to this important area.\n\n\n\n1. Agency senior management attention to IT security.\n\nBefore GISRA was enacted, IT security was not a high priority for senior officials in the\n\nDepartment. This area of responsibility was commonly regarded as belonging solely to\n\nthe CIOs, who did not treat it as a priority either. And this lack of concern and attention\n\nshowed. Reflecting a history of neglect, Commerce\xe2\x80\x99s IT security program was\n\nincomplete, portions that existed were out-of-date, and the program was not enforced.\n\nThe majority of the Department\xe2\x80\x99s IT systems had not been assessed for risk, did not have\n\n\n\n\n                                             4\n\x0csecurity plans, and were neither certified nor accredited. This meant that, more often\n\nthan not, security controls had not been tested, systems were operating without required\n\nmanagement authorization, and management officials lacked an understanding of the\n\nrisks their organizations were incurring by permitting their systems to operate.\n\n\n\nSince the enactment of GISRA, the Department\xe2\x80\x99s perspective on IT security has changed\n\ncompletely: senior Department management has become intensely aware of and takes\n\nvery seriously its IT security responsibilities. Under GISRA, IT security became the\n\nexplicit responsibility of federal agency senior management\xe2\x80\x94the agency head, senior\n\nline managers, and the CIO. GISRA charged the Secretary with ensuring the security of\n\ninformation and information systems by promoting security as an integral component of\n\nthe agency\xe2\x80\x99s business operations. Senior Commerce managers were given specific\n\nresponsibility for protecting the security of operations and assets they control.\n\n\n\nAs we reported in our FY 2001 independent evaluation, in the summer of 2001 the\n\nDepartment began a concerted effort to improve IT security and make it an integral\n\ncomponent of Commerce\xe2\x80\x99s business operations. Specifically, the Secretary of Commerce\n\ndirected secretarial officers and heads of operating units to (1) give IT security high\n\npriority, sufficient resources, and their personal attention, and (2) restructure, and thus\n\nstrengthen, IT management by having a CIO at each unit who reports to the unit head or\n\nprincipal deputy and to the Department CIO, and by increasing the unit CIO\xe2\x80\x99s authority\n\nover IT resources. We noted that these actions\xe2\x80\x94if accompanied by continued executive-\n\n\n\n\n                                              5\n\x0clevel attention and adequate resources\xe2\x80\x94were important steps in building a more effective\n\nIT security program.\n\n\n\nOur FY 2002 evaluation confirmed that Department-level executive support for IT\n\nsecurity continued. Both the Secretary and Deputy Secretary continued to emphasize to\n\nsenior Commerce officials the importance of IT security and senior management\xe2\x80\x99s\n\nresponsibility for establishing effective IT security programs in the operating units. They\n\nalso continued to stress to senior management their leadership role in correcting the\n\nproblems identified by OIG and GAO evaluations. Our FY 2002 GISRA review found\n\nthat senior management officials in Commerce\xe2\x80\x99s operating units generally were giving IT\n\nsecurity their personal attention and were working to ensure that employees understood\n\nthe responsibilities of their unit\xe2\x80\x99s CIO and program officials, as well as their own\n\npersonal responsibility, for IT security.\n\n\n\nHowever, we still found a need for greater senior management attention in both of the\n\nagencies whose IT security programs we reviewed comprehensively in FY 2002\xef\xa3\xa7the\n\nNational Institute of Standards and Technology (NIST) and USPTO. We found that IT\n\nsecurity was not receiving adequate senior management attention, and as a result,\n\nsignificant weaknesses existed in planning, budgeting, implementation, review, and\n\noversight. Consequently, we concluded that there had been a lack of follow-through in\n\ncarrying out such fundamental responsibilities as:\n\n\n\n\n                                             6\n\x0c   \xe2\x80\xa2   establishing comprehensive IT security policies and procedures;\n\n   \xe2\x80\xa2   identifying, assessing, and understanding risks to agency IT assets;\n\n   \xe2\x80\xa2   determining IT security needs commensurate with the levels of risk;\n\n   \xe2\x80\xa2   planning, implementing, and testing controls that adequately address risk;\n\n   \xe2\x80\xa2   continually monitoring and evaluating policy and effectiveness of information\n       security practices; and\n\n   \xe2\x80\xa2   developing a capital planning and investment control process and integrating\n       IT security into it.\n\n\n\nSince the time of these most recent evaluations, the heads of both of these agencies have\n\nstated their commitment to protecting their information assets. In a memorandum to his\n\nsenior management team, the director of NIST acknowledged his responsibility for the\n\nsecurity of NIST\xe2\x80\x99s data and IT systems, and directed all members of NIST\xe2\x80\x99s upper\n\nmanagement to give IT security high priority and to ensure that NIST\xe2\x80\x99s policies,\n\nprocedures, and operational environment are exemplary. NIST has also restructured the\n\nCIO\xe2\x80\x99s office with the goal of improving its effectiveness.\n\n\n\nRegarding USPTO, in response to our evaluation, the Under Secretary of Commerce for\n\nIntellectual Property and Director of USPTO began to devote additional attention and\n\nresources to this area. In addition to identifying IT security as a material weakness in its\n\nFY 2002 Accountability Report, USPTO further demonstrated its commitment to\n\nimproving IT security as part of a new corporate strategy presented in The 21st Century\n\nStrategic Plan. Referring to the OIG evaluation, the plan states that USPTO is not in\n\ncompliance with the law and that because IT security has not yet become an integral part\n\n\n\n\n                                              7\n\x0cof USPTO\xe2\x80\x99s business operations, fundamental IT security responsibilities are frequently\n\nnot carried out. The plan concludes that the implication of not being compliant with\n\nGISRA is that neither internal nor external customers can trust USPTO\xe2\x80\x99s automated\n\ninformation systems. It further presents tasks, milestones, and a schedule for correcting\n\nthis problem that are consistent with our recommendations.\n\n\n\n2. Security education and awareness.\n\nIn our FY 2001 GISRA evaluation, we reported that security training was not conducted\n\non a rigorous or ongoing basis, and none of the operating units was able to give us the\n\ninformation we requested about the number of employees who had received security\n\ntraining or the cost of providing such training. Our FY 2002 evaluation, however, found\n\nthat significant progress had been made in providing awareness training to IT users. At\n\nthe direction of the Department\xe2\x80\x99s CIO, operating units had provided such training to all\n\nemployees and contractor personnel either through programs of their own or via web-\n\nbased training made available by the CIO. The operating units tracked and reported this\n\ntraining to the Commerce CIO and must continue to do so every year.\n\n\n\nOperating units are responsible for identifying positions that require specialized IT\n\nsecurity training as well as the specific training requirements for those positions. We\n\nfound that less progress has been made in this area. Training for personnel with\n\nsignificant IT security responsibilities such as system administrators, IT security officers,\n\nand contracting officers appeared to be inconsistent and incomplete at the units we\n\nreviewed. The Department CIO is addressing this issue by making training more\n\n\n\n\n                                              8\n\x0caccessible: an enterprise license was acquired for web-based IT security training, which\n\nmakes both specialized and annual awareness training available throughout the\n\nDepartment. In conducting our ongoing independent evaluation this year, we are finding\n\nthat some IT security officers still lack a sufficient understanding of their duties and\n\nresponsibilities, thus highlighting the need for the Department to continue to focus on\n\nensuring that specialized security training is provided to those who need it.\n\n\n\nIn addition, at the end of FY 2002, the Department CIO sponsored and paid for two\n\nimportant on-site training classes\xe2\x80\x94Principles of Certification and Accreditation, and\n\nRoles and Responsibilities of the Designated Approving Authority. These classes\n\ncovered the methodologies NIST is using to update its federal guideline on certification\n\nand accreditation. Although the sessions could not accommodate all personnel who\n\nneeded them, they were an important step in addressing a critical training area.\n\n\n\n3. Funding and integrating security into Commerce\xe2\x80\x99s capital planning and\n   investment control process.\n\nBy controlling IT spending decisions, the Department and operating unit CIOs can ensure\n\nthat security is planned at the earliest stages of a system\xe2\x80\x99s life cycle. In our FY 2002\n\nindependent evaluation, we found that the Department CIO\xe2\x80\x99s review and concurrence are\n\nrequired for IT investment decisions affecting all major systems, and\xe2\x80\x94with the exception\n\nof NIST\xe2\x80\x94all of the operating units we reviewed (BIS, ITA, NOAA, and NTIA) require\n\nunit CIO concurrence for smaller IT investments.\n\n\n\n\n                                              9\n\x0cAt the Department level, the Commerce Information Technology Review Board\n\n(CITRB), chaired by the CIO,2 was established to support this decision-making function.\n\nThe Department CIO, with input from the board, provides recommendations to the\n\nDeputy Secretary and the Office of Budget on the soundness of the planning for each\n\nproposed IT initiative, including the extent to which it addresses Department\n\nrequirements for IT security and IT architecture. The board seeks to conduct a status\n\nreview, usually once a year, for approved projects. The CIO, in turn, uses these reviews\n\nto recommend whether a project should be continued, modified, or terminated. IT\n\nprojects costing more than $10 million that require a contract, as well as selected smaller\n\nprojects, must be reviewed by the board in order for the operating unit acquiring the\n\nsystem to receive a delegation of procurement authority, which is the authority to make\n\ncontractual commitments. In his FY 2004 and 2005 budget guidance to the operating\n\nunit CIOs, the Department CIO emphasized that demonstrating effective IT security is an\n\nimportant factor in the board\xe2\x80\x99s review of budget requests.\n\n\n\nNIST began to implement an IT capital planning and investment control process in\n\nFY 2002; however, our evaluation found that investment decisions could still be made\n\nwithout the review and concurrence of NIST\xe2\x80\x99s acting CIO. In responding to our\n\nevaluation, NIST noted that its capital investment planning process would be fully\n\nimplemented in FY 2003, at which time CIO concurrence will be required.\n\n\n\n\n2\n Other members of the board include the Chief Financial Officer and Assistant Secretary for\nAdministration, who serves as co-chair; Deputy CFO; Deputy CIO; the CIOs from NOAA, Census\nBureau, NIST, ITA, and, on a rotating term basis not to exceed 2 years, two other operating unit\n\n\n\n\n                                                  10\n\x0cAs part of our FY 2002 independent evaluation, we examined the FY 2003 capital asset\n\nplans for 13 major departmental systems\xe2\x80\x949 of the systems were from NOAA, 2 were\n\nfrom NTIA, 1 was from NIST, and 1 from BIS\xe2\x80\x94to determine whether each capital asset\n\nplan (1) specified the system\xe2\x80\x99s projected security costs, (2) detailed how funds would be\n\nspent, and (3) adequately described the system\xe2\x80\x99s security requirements. We found that\n\nmost plans specified projected security costs, but only a few explained how these funds\n\nwould be spent. Although most plans described the IT security activities that need to be\n\nconducted over the system life cycle, some did not detail specific risks and security\n\ncontrols. We concluded that the operating units need to do a better job of identifying\n\nsecurity risks and controls throughout a system\xe2\x80\x99s life cycle so that security expenditures\n\ncan be better developed and justified. The Department CIO is addressing this issue by\n\nproviding training in the preparation of capital asset plans and specific guidance for\n\ncompleting the security and privacy section. As mentioned earlier, IT security is also\n\ngiven special attention during CITRB reviews.\n\n\nUSPTO carries out its capital asset planning and budgeting process separately from that\n\nof the Department. Our FY 2002 evaluation found that USPTO needed to make\n\nsignificant improvements in this area. USPTO had not identified security costs for any\n\nindividual system in its fiscal year 2002 or 2003 budget submissions. Nor had USPTO\n\nconducted an accurate, thorough analysis of existing security needs and the cost of\n\nsatisfying them in order to develop its budget request. The fiscal year 2002-2007 budget\n\nformulation guidance provided by USPTO\xe2\x80\x99s Office of the Chief Information Officer did\n\n\n\nCIOs; selected operating unit executives as designated by the CIO; Director for Budget; Director\nfor Acquisition Management, and Director for Human Resources Management.\n\n\n\n                                                    11\n\x0cnot contain instructions for incorporating security costs into budget requests. In response\n\nto this finding, USPTO indicated that the budget system in its CIO office was enhanced\n\nto ensure that IT security costs are tracked for each system, and funding for IT security is\n\nincluded in each system\xe2\x80\x99s budget plan.\n\n\n\n4. Ensuring that contractor services are adequately secure.\n\nThis past April, Mark Forman, OMB Administrator for Electronic Government and\n\nInformation Technology, testified before this subcommittee on the status of the federal\n\ngovernment\xe2\x80\x99s IT security. While discussing the security of contractor services, he noted\n\nthat an issue group had been created to review the problem through the Administration\xe2\x80\x99s\n\nCommittee on Executive Branch Information Systems Security of the President\xe2\x80\x99s Critical\n\nInfrastructure Protection Board. The issue group recommended use of a government-\n\nwide security clause, a recommendation currently under review by the Federal\n\nAcquisition Regulatory (FAR) Council.\n\n\n\n\nOf course, the need to safeguard sensitive information and information systems when\n\ncontracting for services increases as outsourcing increases because the risk of security\n\nviolations by contractors\xef\xa3\xa7whether inadvertent or deliberate\xef\xa3\xa7also grows. Thus, I share\n\nOMB\xe2\x80\x99s concern about ensuring the security of contractor services and believe a FAR\n\nclause is needed. I am pleased that my office has been able to help address this issue by\n\nhaving our contracting expert, Karen DePerini, at the invitation of OMB, serve as co-\n\nchair of the issue group cited by Mr. Foreman.\n\n\n\n\n                                             12\n\x0cThrough our FY 2001 independent evaluation, we identified problems with IT security in\n\nIT service contracts, resulting, in part, from a lack of sufficient federal and departmental\n\npolicy and guidance to ensure that contract documents for IT services contain adequate\n\nIT security provisions. In FY 2002 we examined this weakness in greater detail: we\n\nreviewed 40 of the Department\xe2\x80\x99s IT service contracts, including some awarded by\n\nUSPTO, and found that provisions to safeguard sensitive but unclassified systems and\n\ninformation were either insufficient or nonexistent. Based on the results of this sample,\n\nwe concluded that the majority of IT service contracts throughout the Department lacked\n\nneeded IT security provisions. Contracting officers and other acquisition team members\n\nneed guidance and training, as well as support from technical experts and program\n\nofficials, to ensure that they prepare and administer IT service contracts in a way that\n\nmakes clear and enforceable the contractor\xe2\x80\x99s responsibility and accountability for\n\nsafeguarding the government\xe2\x80\x99s information assets.\n\n\n\nWe recommended that the Department of Commerce\xe2\x80\x99s Chief Financial Officer and\n\nAssistant Secretary for Administration take the necessary actions to ensure that all\n\ncontracting offices within Commerce include adequate IT security provisions in all IT\n\nservice contracts to protect the Department\xe2\x80\x99s sensitive IT information and assets.\n\nSpecifically, we urged the Department to establish standard contract provisions for\n\nsafeguarding the security of unclassified systems and to disseminate clear, detailed policy\n\nguidance for acquiring these systems and services.\n\n\n\nWe further recommended that such a policy require contracting offices\xe2\x80\x94with assistance\n\nfrom the Department\xe2\x80\x99s Office of the CIO\xe2\x80\x94to assess the IT security risk associated with\n\n\n                                             13\n\x0cthe proposed service or system during the acquisition planning phases; identify and\n\ninclude appropriate IT security requirements in specifications and work statements;\n\nmonitor contractor performance to ensure compliance with IT security requirements; and\n\nterminate the contractor\xe2\x80\x99s access to systems and networks once the contract is closed out.\n\nWe also advised the Department to review all current contracts and solicitations for IT\n\nservices to determine whether IT security provisions should be added to them, even\n\nthough such revisions might increase contract costs, and to ensure that all procurement\n\npersonnel have appropriate training in IT security.\n\n\n\nThe Department is in the process of implementing our recommendations. Contract\n\nprovisions have been written and are now undergoing departmental review. After the\n\nprovisions are approved, Commerce plans to provide appropriate training to acquisition\n\nstaff. The Department\xe2\x80\x99s assessment of current contracts found that more than 350 need\n\nmodification to address the new security provisions. In January, the Department CIO\n\nissued a new security program policy, which addresses IT security in contracts and\n\nshould help ensure that future contracts include appropriate security provisions prior to\n\nbeing awarded.\n\n\n\n\n5. Detecting, reporting, and sharing information on vulnerabilities.\n\nGISRA requires agencies to have documented procedures for detecting, reporting, and\n\nresponding to IT security incidents. In our FY 2001 independent evaluation, we found\n\nthat only 4 of 14 operating units\xe2\x80\x94Census, NIST, NOAA, and USPTO\xe2\x80\x94had a formal\n\n\n\n\n                                            14\n\x0cincident response capability, and that the Department\xe2\x80\x99s policy for reporting IT security\n\nincidents needed to be revised to specify notification of OIG and to define what\n\nconstitutes a reportable incident. In FY 2002, the Department established a computer\n\nincident response team to support operating units that did not have their own incident\n\nresponse capability, thus ensuring coverage of the entire Department. The team will also\n\nbe a focal point for obtaining and exchanging best practices and incident response\n\nmethodologies.\n\n\n\nThe Department\xe2\x80\x99s new security program policy includes improved guidance on incident\n\nidentification, handling, response, and reporting. It defines the types of incidents that\n\nneed to be reported and requires each operating unit to submit its response procedures to\n\nCommerce\xe2\x80\x99s critical infrastructure program manager, located in the Department CIO\xe2\x80\x99s\n\noffice, for review and approval. This requirement will help ensure that all units have\n\ndocumented procedures for reporting security incidents and sharing information about\n\ncommon vulnerabilities. The policy sets minimum requirements for incident response\n\ncapabilities and prescribes the system-level processes and incident-handling procedures\n\nto be performed, including working with OIG investigators and other law enforcement\n\nauthorities and reporting incidents to the Federal Computer Incident Response Center\n\n(FedCIRC). It also establishes requirements for monitoring and detecting incidents,\n\nincluding use of network- and host-based intrusion detection systems, logging tools,\n\nfirewalls, and other devices, as well as review of audit logs, trouble reports, and\n\ninformation provided by intrusion detection tools.\n\n\n\n\n                                             15\n\x0cAs Mr. Pyke recently told the subcommittee, Commerce has established a capability to\n\ntransmit IT security alerts Department-wide at any time and to activate Commerce\n\nemergency mobilization plans, as appropriate. To maintain up-to-date corrective patches\n\nfor known vulnerabilities, the Department established a patch authentication and\n\ndistribution account under the patch management contract awarded by FedCIRC.\n\n\n\n6. IT security performance measures.\n\nAlthough security plans have been required for federal IT systems since the Computer\n\nSecurity Act of 1987, when I testified two years ago, nearly two-thirds of the\n\nDepartment\xe2\x80\x99s systems lacked risk assessments, almost half did not have a security plan,\n\nand more than 90 percent were not certified or accredited. These were serious\n\ndeficiencies that the Department has since been addressing zealously. The table below\n\nshows the status of these items, based on Department reporting, between FY 2000 and\n\nFY 2003.\n\n\n\n\n           Percent of Systems with Risk Assessments, Security Plans, and\n                            Certification/Accreditation*\n\n                                  FY 2000            FY 2001             FY 2002\n                                  (percent)          (percent)           (percent)\n        Risk Assessments              28                 74                  94\n\n        Security Plans                54                 69                  96\n        Systems Certified              8                 48                  77\n        and Accredited\n        *Table excludes USPTO\xe2\x80\x99s systems.\n\n\n\n\n                                              16\n\x0cLast fiscal year, the Department CIO set September 30, 2002, as the deadline for having\n\napproved security plans for all general support systems and major applications. In its\n\nfiscal year 2002 GISRA review, the Department reported that of its 609 systems, 94\n\npercent had risk assessments, 96 percent had security plans, and 77 percent were certified\n\nand accredited. OMB has established a goal that by the end of 2003, 80 percent of\n\nfederal IT systems shall be certified and accredited. The Department\xe2\x80\x99s goal is to have all\n\nnational critical, mission critical, and classified systems certified and accredited by the\n\nend of this fiscal year.\n\n\n\nPerformance Measures Do Not Tell the Whole Story; Aggressive Schedules May\n\nActually Weaken the Process\n\nAchieving certification and accreditation for all systems is imperative, and we support the\n\neffort to certify and accredit all systems as soon as possible. Our independent evaluations\n\nsuggest, however, that the Department\xe2\x80\x99s aggressive schedule is causing some systems to\n\nbe certified and accredited in the absence of adequate risk assessments and security plans\n\nand without rigorous and effective testing, evaluation, and review processes. While a\n\nconcerted effort toward certification and accreditation must continue, it is equally critical\n\nthat the rigor and integrity of certification and accreditation processes be maintained.\n\nOtherwise, we may have paper security, but lack true security.\n\n\n\nOur concern stems from the fact that our 2002 GISRA review, whose fieldwork we\n\ncompleted in July, found numerous systems operating without required risk assessments,\n\napproved security plans, or certification and accreditation. Moreover, some with\n\n\n\n\n                                             17\n\x0capproved security plans could provide no evidence that a risk analysis\xe2\x80\x94a prerequisite for\n\nthe security plan\xe2\x80\x94had been conducted. Too many operational systems we reviewed had\n\nnot been accredited, and many lacked up-to-date security plans and risk assessments.\n\nThose that were accredited frequently lacked evidence of the requisite security testing\n\nand evaluation, thus diminishing the assurance that accreditation is intended to impart.\n\nFor example,\n\n\n\n   \xe2\x80\xa2   NIST had established an ambitious schedule for accrediting all of its systems by\n\n       September 1, 2002. As of July, none of NIST\xe2\x80\x99s 109 operational systems had a\n\n       documented risk assessment or an approved security plan, and only two had\n\n       accreditation. Moreover, the dates by which NIST\xe2\x80\x99s offices were to receive a risk\n\n       assessment methodology had passed, yet the methodology had not been provided.\n\n       All future dates depended on the risk assessments; thus this delay affected the\n\n       entire schedule. We were concerned that this aggressive schedule would not\n\n       permit sufficient analysis, documentation, or review to achieve adequate product\n\n       content or quality or support meaningful certification and accreditation processes.\n\n       To address our concern, NIST stated it would have its CIO review all NIST\n\n       system certifications and accreditations in FY 2003.\n\n\n\n\n   \xe2\x80\xa2   At the time of our evaluation of USPTO, 82 percent of USPTO\xe2\x80\x99s 78 operational\n\n       systems lacked documented risk assessments, and the security plans for 30\n\n       percent of those systems were more than 3 years old. None of USPTO\xe2\x80\x99s systems\n\n       had been certified and accredited. In response to our review, USPTO planned to\n\n\n\n                                            18\n\x0c    certify and accredit all high-risk systems by the end of FY 2003 and the remaining\n\n    systems by the end of FY 2004.\n\n\n\n\xe2\x80\xa2   Security plans were provided for all four of BIS systems, which were generally\n\n    consistent with NIST guidance for content and format, but evidence of a risk\n\n    assessment was provided for only one system. Although BIS considered the plans\n\n    approved, it lacked a formal approval process and thus could not validate the\n\n    approval. None of the systems had undergone security testing and evaluation or\n\n    been certified or accredited.\n\n\n\n\xe2\x80\xa2   Risk assessments had been performed on the four ITA systems for which we\n\n    requested documentation. ITA provided two security plans that it considered\n\n    approved and two draft plans. However, like BIS, ITA lacked a formal approval\n\n    process. Our review of the two approved plans found them to be generally\n\n    consistent with NIST guidance for content and format but in need of additional\n\n    information on rules for using the systems appropriately; they also did not comply\n\n    with the Department\xe2\x80\x99s password policy. Furthermore, none of the systems had\n\n    undergone security testing and evaluation or been certified or accredited.\n\n\n\n\n\xe2\x80\xa2   NOAA\xe2\x80\x99s Office of Atmospheric Research (OAR) and National Marine Fisheries\n\n    Service (NMFS) had performed risk assessments on their systems. With one\n\n    exception, systems belonging to the National Environmental Satellite, Data, and\n\n    Information Service (NESDIS) and National Ocean Service (NOS) provided\n\n\n\n                                        19\n\x0c    hazard information that did not give enough detail to determine needed security\n\n    controls or conduct certification activities. All the NOAA offices we reviewed\n\n    had up-to-date security plans whose content and format were generally consistent\n\n    with NIST guidance and were approved by an IT security officer. However, some\n\n    of the plans provided by NESDIS, NMFS, and NOS had been updated after the\n\n    Department issued a revised password policy but did not comply with that policy.\n\n    Although all NOAA systems we reviewed had current certifications and\n\n    accreditations, only one had evidence of security testing and evaluation. The\n\n    seven NESDIS systems we reviewed were accredited after we requested\n\n    documentation, and the accreditations appear to have been granted in haste.\n\n    Because we found no concrete evidence to indicate that the appropriate steps had\n\n    been taken, including security testing and evaluation, the validity of NESDIS\xe2\x80\x99\n\n    certification and accreditation process is questionable. Since our review, NOAA\n\n    reported that it has implemented the Department\xe2\x80\x99s new password policy and all\n\n    security plans will be updated to reflect this by September 2003.\n\n\n\n\xe2\x80\xa2   NTIA had conducted risk assessments on the two systems for which we requested\n\n    documentation and provided security plans for both systems. The content and\n\n    format of these plans were generally consistent with NIST guidance, but like ITA\n\n    and BIS, NTIA lacked a formal plan approval process. Neither system had\n\n    undergone security testing and evaluation or certification and accreditation.\n\n\n\n\n                                         20\n\x0cIn this year\xe2\x80\x99s evaluations, we have found systems whose documented sensitivity levels\n\nare understated; their security controls, therefore, are not commensurate with the level of\n\nrisk. Similar to last year, security plans were developed without current risk assessments,\n\nand essential information required for selecting appropriate security controls was\n\nmissing. Also similar to last year, systems were certified and accredited without testing\n\nof security controls.\n\n\n\nWhen implemented properly, the combination of certification and accreditation is a\n\npowerful method for helping to ensure that effective management, operational, and\n\ntechnical controls are in place and functioning as intended. Certification actions may be\n\nscaled to the level of IT security being evaluated, but they must be sufficient to confirm\n\nthat the security features of the systems have been implemented as intended and are\n\nperforming properly, and that the operational sites comply with requirements for\n\nphysical, procedural, and communications security. This confirmation cannot be\n\nachieved without some amount of testing. Unless the certification and accreditation\n\nprocesses are rigorous, the assurances these credentials are intended to impart will be\n\nillusory. It is by confirming the substance and quality of such critical processes and\n\ncontrols that IGs can play a uniquely valuable role: performance measures focus the\n\nDepartment on getting the job done; our work helps ensure the job is done right.\n\n\n\nThe Department recognizes the need for credible IT security processes and products. In\n\nFY 2002, to address this need, it began an IT security compliance program, which\n\nincludes quality reviews of certification and accreditation materials for selected systems.\n\n\n\n\n                                            21\n\x0cThis year, the Department plans to review these materials for all national critical, mission\n\ncritical, and classified systems. This review program is a positive step. Nonetheless, our\n\nconcern remains that aggressive schedules for certification and accreditation may weaken\n\nkey processes intended to ensure needed IT security.\n\n\n\nHow We Perform Our Independent Evaluations\n\n\nGISRA instructed IGs to perform annual independent evaluations of their agency\xe2\x80\x99s IT\n\nsecurity programs and practices. The evaluation was to include testing the effectiveness\n\nof IT security control techniques for an appropriate subset of the agency\xe2\x80\x99s information\n\nsystems. The Federal Information Security Management Act of 2002 (FISMA) similarly\n\nrequires IGs to perform an independent evaluation, including testing a representative\n\nsubset of the agency\xe2\x80\x99s information systems. OMB Memorandum M-01-08, Guidance on\n\nImplementing the Government Information Security Reform Act, January 16, 2001, stated\n\nthat the Act recognizes that not all systems can be reviewed every year and directs IGs to\n\nuse a sampling of systems to draw conclusions regarding the effectiveness of the\n\nagency\xe2\x80\x99s overall security program. This guidance also encourages IGs to use reviews\n\nperformed by other experts in their evaluations.\n\n\n\nWe have followed this guidance and found it to be both practical and effective. Our\n\nindependent evaluations consist of a mix of reviews:\n\n\xe2\x80\xa2     To assess the effectiveness of policy and oversight, we review the IT security\n\n      program policies of the Department and selected operating units.\n\n\n\n\n                                            22\n\x0c\xe2\x80\xa2   To evaluate operational, technical, and management controls of nonfinancial\n\n    systems, we review selected IT systems using NIST\xe2\x80\x99s Security Self-Assessment\n\n    Guide for Information Technology Systems.\n\n\n\xe2\x80\xa2   To evaluate operational, technical, and management controls of financial systems,\n\n    we use the results of the general control reviews of financial systems conducted by\n\n    OIG contractors using GAO\xe2\x80\x99s Federal Information System Controls Audit Manual\n\n    (FISCAM), which also include limited vulnerability assessments.\n\n\n\n\xe2\x80\xa2   To obtain additional information regarding the responsibilities of the agency head,\n\n    training of personnel with significant IT security responsibilities, and integration of\n\n    IT security into the capital planning and investment control process, we interview\n\n    the CIO and senior IT security officials from the Department and selected\n\n    operating units, and review pertinent documentation, including selected capital\n\n    asset plans.\n\n\n\xe2\x80\xa2   To obtain coverage of additional operating units and systems, we review the risk\n\n    assessment, security plan, security testing and evaluation materials (test procedures\n\n    and results), and certification and accreditation documents for selected systems.\n\n\n\xe2\x80\xa2   To extend our coverage further, our evaluation also includes, when available, the\n\n    results of IT security reviews performed by other parties\xe2\x80\x94typically contractors\n\n    engaged by the operating units\xe2\x80\x94if we determine, in accordance with OMB\n\n    guidance, that they are of sufficient quality, applicability, and independence.\n\n\n\n\n                                          23\n\x0cOur independent evaluations are conducted by computer scientists and IT security\n\nspecialists in our Office of Systems Evaluation, several of whom have security\n\ncertifications and are active on interagency working groups addressing such topics as\n\nnetwork security, certification and accreditation, and procurement. But our resources are\n\nvery limited: we have about four full-time employees performing this work, not including\n\nour FISCAM staff and contractor resources. With 14 Commerce agencies and operating\n\nunits and approximately 600 IT systems, we offer our perspective on the state of IT\n\nsecurity in the Department based on our necessarily selective review. Although we do\n\nnot have sufficient resources or time to validate the specific details of the annual IT\n\nsecurity reports submitted by the Department and USPTO, our approach has not only\n\npromoted significant improvements in system and program security throughout the\n\nDepartment and USPTO, but has also served as a check and balance on their annual\n\nreporting. Our reviews provide objective and independent insight into the state of IT\n\nsecurity Department-wide, and virtually every review we have conducted has prompted a\n\nmajor overhaul of policy, oversight, or system security management.\n\n\n\nOur budget request for FY 2004 includes those resources we believe are essential for our\n\noffice to perform further vital oversight tasks. The requested funding level would allow\n\nus to perform vulnerability assessments and penetration testing of some nonfinancial\n\nsystems, a compelling mechanism for demonstrating that vulnerabilities exist and\n\nintrusions are possible, and a task that OMB, the General Accounting Office, and we\n\nbelieve should be conducted by IGs. OMB guidance directs agencies to develop plans of\n\naction and milestones (POA&Ms) to remediate program- and system-level IT security\n\n\n\n\n                                             24\n\x0cweaknesses and track each deficiency until it is corrected. According to OMB, an IG-\n\nverified, agency-wide POA&M process will be one of three criteria necessary for\n\nagencies to improve their IT security status on the Expanding E-Government Scorecard.\n\nWhile we can determine whether the Department\xe2\x80\x99s POA&M process is sound, the\n\nfunding we have requested will allow us to also validate the implementation of a sample\n\nof the corrective actions contained in the plans. At present, we are able to track the\n\ncorrective actions only for deficiencies identified in our financial systems reviews. The\n\nincrease also will allow us to conduct much-needed additional IT system and operating\n\nunit security program reviews.\n\n\n\nWe believe we have focused and leveraged our efforts effectively. We work closely with\n\nthe Department CIO to ensure our efforts are complementary and mutually supportive.\n\nWe also work with operating unit CIOs and, increasingly, with program officials. I\n\nbelieve that GISRA established an effective foundation for improving IT security in the\n\nfederal government and that FISMA will reinforce this goal. It is a privilege to be able to\n\ncontribute to improvements in this area, and we hope to do more as time goes on.\n\n\n\nThis concludes my statement. A list of the reports that are part of our independent\n\nGISRA evaluations is included as an attachment. Mr. Chairman, I would be happy to\n\nanswer any questions you or other members of the subcommittee might have.\n\n\n\n\n                                             25\n\x0c                                                                        ATTACHMENT\n\n\n                          U.S. Department of Commerce\n                            Office of Inspector General\n                           Evaluation and Audit Reports\n                        on Information Technology Security\n\n                                       Evaluations\n1    Office of the Secretary, Independent Evaluation of the Department's Information Security\n     Program Under the Government Information Security Reform Act, OSE-15260,\n     September 2002.\n2    United States Patent and Trademark Office, Independent Evaluation of USPTO's\n     Information Security Program Under the Government Information Security Reform Act,\n     OSE-15250, September 2002.\n3    National Institute of Standards and Technology, Additional Improvements Needed To\n     Strengthen NIST's Information Security Program, OSE-15078, September 2002.\n4    United States Patent and Trademark Office, Stronger Management Controls Needed for\n     the Patent Application Capture and Review Automated Information System, OSE-14926,\n     August 2002.\n5    Office of the Secretary, Information Security Requirements Need to Be Included in the\n     Department's Information Technology Service Contracts, OSE-14788, May 2002.\n6    United States Patent and Trademark Office, Additional Senior Management Attention\n     Needed to Strengthen USPTO's Information Security Program, OSE 14846, March 2002.\n7    Office of the Secretary, Independent Evaluation of the Department's Information Security\n     Program Under the Government Information Security Reform Act, OSE-14384,\n     September 2001.\n8    Economics and Statistics Administration, Additional Security Measures Needed for\n     Advance Retail Sales Economic Indicator, OSE-12754, September 2001.\n9    United States Patent and Trademark Office, Independent Evaluation of USPTO's\n     Information Security Program Under the Government Information Security Reform Act,\n     OSE-14384, September 2001.\n10   Office of the Secretary, Program for Designating Positions According to Their Risk and\n     Sensitivity Needs to Be Updated and Strengthened, OSE-14486, September 2001.\n11   Office of the Chief Information Officer: Use of Internet \xe2\x80\x9cCookies\xe2\x80\x9d and \xe2\x80\x9cWeb Bugs\xe2\x80\x9d on\n     Commerce Web Sites Raises Privacy and Security Concerns, OSE-14257, April 2001.\n12   Office of the Chief Information Officer: Additional Focus Needed on Information\n     Technology Security Policy and Oversight, OSE-13573, March 2001\n13   Office of the Chief Information Officer: Critical Infrastructure Protection: Early\n     Strides Were Made, but Planning and Implementation Have Slowed, OSE-12680, August\n     2000.\n\n\n\n\n                                             26\n\x0c                             Financial Statements Audits\n            [These audits are performed annually; listed below are only the audits\n                               covering FY 2000 and FY 2001.]\n14   U.S. Department of Commerce, Consolidated Financial Statements, Fiscal Year 2001,\n     Improvements Needed in the General Controls Associated with the Department\xe2\x80\x99s\n     Financial Management Systems, Audit Report No. FSD-14474-2-0001, February 2002.\n15   Bureau of the Census, Improvements Needed in the General Controls Associated with\n     Census\xe2\x80\x99 Financial Management Systems, Audit Report No. FSD-14473-2-0001,\n     February 2002.\n16   National Technical Information Service, Improvements Needed in the General Controls\n     Associated with NTIS\xe2\x80\x99s Financial Management Systems, FSD-14476-2-0001/February\n     2002.\n17   National Oceanic and Atmospheric Administration, Improvements Needed in the General\n     Controls Associated with Financial Management Systems, FSD-14475-2-0001/February\n     2002.\n18   Department of Commerce: Consolidated Financial Statements, FY 2000, FSD-12849-1,\n     March 2001.\n19   National Institute of Standards and Technology, Improvements Needed in the General\n     Controls Associated with Financial Management Systems, FSD-12859-1, February 2001.\n20   Economic Development Administration, Improvements Needed in the General Controls\n     Associated with Financial Management Systems, FSD-12851-1, January 2001.\n21   Bureau of the Census, Improvements Needed in the General Controls Associated with\n     Financial Management Systems and FY 2000 Penetration Test Results, FSD-12850-1,\n     January 2001.\n22   National Technical Information Service, Improvements Needed in the General Controls\n     Associated with Financial Management Systems, FSD-12857-1, January 2001.\n23   Office of the Secretary, Follow-up Review of the General Controls Associated with the\n     Office of Computer Services/Financial Accounting and Reporting System, FSD-12852-1,\n     January 2001.\n24   International Trade Administration, Review of General and Application System Controls\n     Associated with the Fiscal Year 2000 Financial Statements, FSD-12854-1, January 2001\n25   National Oceanic and Atmospheric Administration, Improvements Needed in the General\n     Controls Associated with Financial Management Systems, FSD-12855-1, December\n     2000.\n26   United States Patent and Trademark Office, Improvements Needed in the General\n     Controls Associated with Financial Management Systems, FSD-12858-1, December\n     2000.\n\n\n\n\n                                           27\n\x0c"